httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Holsman <>
Subject Re: [RFC} mod_suexec... changing the ap_hook_get_suexec_identity
Date Tue, 06 Aug 2002 15:08:06 GMT
Ryan Bloom wrote:
>>From: Ian Holsman []
>>hi guys.
>>currently the hook takes a request_rec as a parameter.
>>but from what I can see it only ever can be set at the server
>>level/vhost level.
>>so .. if no one objects I'm going to change it to be passed a
>>server_rec* into or a
>>request_rec one.
>>affected files would be modules/generators/mod_suexec.c
>>unixd/unixd.c both of which have the server-rec.
>>this change is to allow other things to start suexec'd things at
> startup.
> Why do you want to be able to start other suexec'd things at startup?
> Wouldn't the security model for SuExec make this complex?  For example,
> the program being run must be within the Apache web space.  Why would
> you want to run a program in that space at startup?
for FastCGI.
it needs to spawn some procs which do CGI. so it suExec's the program 
which sits there for all the requests to use.

> If you do want to run a program at startup, won't it work to just suid
> the program you want to run?  The SuExec security model is tuned to
> being run at request time, and I want to be sure that we don't weaken
> that model to allow running SuExec at startup. 

> Ryan

View raw message